Downloaded 82 times
![8
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Sources of Usable Context
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Enforcement
Points
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps](https://image.slidesharecdn.com/finalaccessmanagementwitharubaclearpass-120814-longformat-141210171710-conversion-gate01/75/Shanghai-Breakout-Access-Management-with-Aruba-ClearPass-8-2048.jpg)
![Adaptive Trust
9
CONFIDENTIAL
© Copyright 2014. Aruba Networks, Inc.
All rights reserved
#AirheadsConf
Sources of Usable Context
Device
Profiling
• Samsung SM-G900
• Android
• “Jons-Galaxy”
EMM/MDM
• Personal owned
• Registered
• OS up-to-date
• Hansen, Jon [Sales]
• MDM enabled = true
• In-compliance = true
Identity
Stores
Enforcement
Points
• Hansen, Jon [Sales]
• Title – COO
• Dept – Executive office
• City – London
• Location – Bldg 10
• Floor – 3
• Bandwidth – 10Mbps
Identity
• Hansen, Jon [Sales]
• COO, Executive Office
• London
• Personal Owned
• Samsung SM-G900
• Android 4.4, Knox
• MDM enabled = true
• In-compliance = true
• At Bldg 10, floor 3
• 21:22GMT, 21/12/14](https://image.slidesharecdn.com/finalaccessmanagementwitharubaclearpass-120814-longformat-141210171710-conversion-gate01/75/Shanghai-Breakout-Access-Management-with-Aruba-ClearPass-9-2048.jpg)
Uploaded byAruba, a Hewlett Packard Enterprise company
Shanghai Breakout: Access Management with Aruba ClearPass
The document discusses how Aruba ClearPass provides adaptive network access policies through context-based authentication and authorization. It describes how ClearPass collects contextual information from various sources to make policy decisions. This context includes attributes about the user, device, location, authentication method, and more. ClearPass then maps collected context to roles and enforces policies based on matching roles and device posture to take actions like sending Radius responses, updating firewall rules, or triggering remediation. The adaptive policies allow for a more coordinated approach to security, operations, and user experience.
More Related Content
Similar to Shanghai Breakout: Access Management with Aruba ClearPass
More from Aruba, a Hewlett Packard Enterprise company
Shanghai Breakout: Access Management with Aruba ClearPass
- 1. Access Management withAruba ClearPass Austin Hawthorne December 12th, 2014
- 2. CONFIDENTIAL © Copyright2014. Aruba Networks, Inc. All rights reserved 2 #AirheadsConf Agenda Defining Adaptive Policies Context Collection Leveraging Context in NAC Policies Enhancing User Experience, Operations, and Security with Context
- 3. 3 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Why Adaptive Policies? THEN Predictable Desk Access NOW Access from Anywhere
- 4. 4 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Deciphering Context for Policy Decisions Jailbroken phone? BYOD? Guest? Office? Device type? Firewall enabled? Employee? Skim milk? Policies must adapt to conditions
- 5. 5 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Common Security Questions • Is this a corporate device or a personal device connecting to my wireless network with my employee’s account information? • Is this a Printer or Computer connecting to my wired network without 802.1x? • How do I keep corporate devices off the Guest SSID? • I trust my corporate assets, but I need to be able to check the compliance of Contractor computers when they connect, and restrict them from using mobile devices, how?
- 6. 6 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Adaptive Trust: Context Collection
- 7. 7 Device &type CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Access type App traffic & behavior #AirheadsConf The Heart of an Adaptive Trust Decision User & role Ownership - IT or BYOD Usable Context Device assessment Location - Secure or open access Auth type - credentials or certificate Session rules Time-of-day / Day-of-Week
- 8. 8 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Sources of Usable Context Device Profiling • Samsung SM-G900 • Android • “Jons-Galaxy” EMM/MDM • Personal owned • Registered • OS up-to-date • Hansen, Jon [Sales] • MDM enabled = true • In-compliance = true Identity Stores Enforcement Points • Hansen, Jon [Sales] • Title – COO • Dept – Executive office • City – London • Location – Bldg 10 • Floor – 3 • Bandwidth – 10Mbps
- 9. Adaptive Trust 9 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Sources of Usable Context Device Profiling • Samsung SM-G900 • Android • “Jons-Galaxy” EMM/MDM • Personal owned • Registered • OS up-to-date • Hansen, Jon [Sales] • MDM enabled = true • In-compliance = true Identity Stores Enforcement Points • Hansen, Jon [Sales] • Title – COO • Dept – Executive office • City – London • Location – Bldg 10 • Floor – 3 • Bandwidth – 10Mbps Identity • Hansen, Jon [Sales] • COO, Executive Office • London • Personal Owned • Samsung SM-G900 • Android 4.4, Knox • MDM enabled = true • In-compliance = true • At Bldg 10, floor 3 • 21:22GMT, 21/12/14
- 10. 10 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Context Sources • External: • Network Devices • Radius/TACACS • AD/LDAP • SAML/OAUTH2/Okta • Radius • Kerberos • Token Servers • SQL Databases • MDM Systems • Aruba Activate • HTTP • Internal: • Endpoint DB • Profiling information from: • DHCP • HTTP • SNMP • IOS Device Sensor • ActiveSync • OnGuard • Onboard • Insight DB • Session/State Information • Guest User/Device DB • Date/Time • LocalUser DB
- 11. 11 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Context Examples
- 12. Adaptive Trust: LeverageContext in Policy 12 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Decisions
- 13. 13 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Adaptive Policy Driven by Context Corporate Tablet BYOD Tablet Authentication EAP-TLS SSID CORP-SECURE Authentication EAP-TLS SSID CORP-SECURE Internet Only Internet and Corporate Apps
- 14. 14 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf ClearPass Policy Model – AuthN vs AuthZ ClearPass Policy Manager AD/LDAP Guest Insight Endpoint Onboard Service Matching SQL MDM HTTP Authentication Authorization Role Mapping Enforcement Username = Bob Mac Address = XYZ SSID = Secure Location = Building 1 Request = Radius Response = Radius - Accept - Reject - Attributes Added Context: MDM Enrolled = True Device Type = iPad Owner = Bob Required Apps = True Active Sessions = 2 AD Group = Exec Corp Asset = True
- 15. 15 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Role-Mapping • Role-Mapping used to filter collected contextual data into “tags” (roles) that can be used for enforcement conditions. • “Select All” vs “Select First” condition matching • Careful of the “AND” “OR” conditons • Available Options: • Radius/TACACS Attributes • Authentication Attributes • Authorization Attributes (from any source) • Certificate Attributes • Endpoint Attributes • Date/Time Attributes
- 16. 16 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Sample Role Mapping Device Context Auth Context User Context Cert Context Onboard Context MDM Context
- 17. 17 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Enforcement Policies • Condition based rules to determine which enforcement profile(s) to use. • Can signal multiple actions, more on that later. • Leverages “Roles” assigned during Role- Mapping. • Leverages “Posture” token assigned during posture check. • Typically a top down, “First Match” rule matching algorithm.
- 18. 18 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Sample Enforcement Policy Using Roles for User and Device Using Roles and Posture Enforcement Policy
- 19. 19 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Enforcement Profiles • Profiles are essentially the enforcement “actions” you want to signal based on the set conditions. • Multiple Types of Enforcement Profiles: • Radius • Radius CoA • SNMP • CLI • HTTP • Entity Update • OnGuard Agent • TACACS
- 20. Adaptive Trust: Security,Operational, and User 20 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Experience Advantages
- 21. 21 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Security Disconnect Who: Bob Group: Faculty Device: Personal iPad Location: Room 104 Time: 9am, Monday Compliance: Healthy VPN AAA/NAC DHCP/DNS AD/LDAP Network Applications Ticketing System Proxy/Filter Network Mgmt FW ? ? ? ? ?
- 22. • User can’tconnect to the 22 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf User and Operational Disconnect VPN AAA/NAC DHCP/DNS AD/LDAP Network Applications Ticketing System Proxy/Filter Network Mgmt FW X X network • User application access is slow or disconnects • Where does the problem exist? • When do you know about the problem? • Where do you start? ? ? ? ? ? ? ? ? ? ? ?
- 23. Time for aNew Perimeter Defense Model 23 Firewalls CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved EMM/MDM #AirheadsConf Perimeter Defense IDS/IPS Mobility Defense Firewalls Access Policy Management IDS/IPS/AV Enforcement Points Physical A/V Web gateways Policy needed for central point of control
- 24. 24 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Security and Usability Coordination VPN ClearPass DHCP/DNS AD/LDAP Network Applications Ticketing System Proxy/Filter Network Mgmt FW Who: Bob Group: Faculty Device: Personal iPad Location: Room 104 Time: 9am, Monday Compliance: Healthy Mac Address: X IP Address: Y Airgroup Permissions What if when the user connects: - Update the FW - Update the IPAM - Update the Proxy - Logon the application - Update the WLAN
- 25. 25 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf User Self Service VPN ClearPass DHCP/DNS AD/LDAP Network Applications Ticketing System Proxy/Filter Network Mgmt FW Self Service: - BYOD Portal - Device/Guest Registration - Device Access Management - Auto-Remediation - Notification Pages
- 26. 26 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Operational Integration VPN ClearPass DHCP/DNS AD/LDAP Network Applications Ticketing System Proxy/Filter Network Mgmt FW - Auto Open Help Desk Ticket - Notify User - Integration into Network Management
- 27. 27 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Integration Options • “Built In” Integration • MDM Actions • Palo Alto HIP Updates • Syslog • Splunk App • CEF/LEEF Support (Future) • Radius Proxy (future) • Inbound API • Web Pages: • OnGuard DA, OnBoard, Device/User Registration, Notification/Warning • “Build your own” Integration • ClearPass Exchange • REST/XML Based API
- 28. Mitigating Risks using3rd Party Integration 28 Syslog Messages CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved ClearPass denies access to device #AirheadsConf ClearPass Exchange Jail-broken device detected Helpdesk ticket auto generated Message to device auto generated 1. 3. 2. RESTful APIs Adaptive Trust Identity Jailbreak example
- 29. 29 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Enforcement Example Radius Action to force notification page Send user SMS notification Update Palo Alto Firewall Open Help Desk Ticket Sound the alarm! Send Email to security team
- 30. 30 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Dynamic Content based on Context • Device, User, and Posture context can be pulled into actions and web pages. • Leverages “NameSpace” variables in enforcement actions and web login pages.
- 31. 31 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf NameSpaces in ClearPass • Almost all of the “context” that is collected by ClearPass can be called up and used via dynamic “namespace” variables. • For example: • %{Endpoint:Model} • %{Radius:Aruba:Aruba-Location-Id} • %{Authentication:Full-Username} • These can be used in role mapping, enforcement profiles and policies, auth source filters/queries, etc in place of static variables. • When used, the value is replaced with information pertaining to that device or user dynamically
- 32. 32 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf Conclusion
- 33. 33 CONFIDENTIAL ©Copyright 2014. Aruba Networks, Inc. All rights reserved #AirheadsConf NameSpaces in ClearPass • Context is the foundation of ClearPass • More contextual sources than any other vendor! • Ability to share context with more vendors than our competitors! • Context provides for greater security, visibility, and flexibility to support ever-changing #GenMobile environment. • Please check out the “Secure Air” booth during your break for a demonstration of these principles in action!
- 34. Thank You 34 #AirheadsConf CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Editor's Notes
- #4 When endpoints were static, corporate controlled and well-known, we could live with static rules. Today’s mobile technology and the velocity of endpoint change makes this old-style of access enforcement ineffective. What’s needed is a policy solution as your foundation that includes RADIUS and TACACS, is built to handle a variety of operating systems, device types, identity stores, and provides the flexibility for how users work today – from anywhere, at any time. The same solution should also support guest access, profiling, and device configuration from a single pane of glass. IT can create, manage and monitor policies from a central entity with less complexity. The ability to leverage context and data from multiple identity stores, or auth methods is important as well. This lets IT treat IT-managed and personal devices differently and use more granular enforcement. Something that legacy AAA solutions do not support.
- #9 While IT has busily deployed a number of physical and legacy software security mechanisms like Palo Alto , Juniper and others for protecting the perimeter, #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security. Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs.
- #10 As the centralized gatekeeper and contextual store for all user authentication and device profiling data, ClearPass constructs a composite identity for the user and device. This information is used for ClearPass’ own access decision making and is also shared with other network security systems in the enterprise. All network security components use consistent, authoritative data which makes your access story stronger.
- #24 PAN COVERS THIS SLIDE New user habits, threats, and end-points require you to rethink how you protect your access layer. Best-of-breed but siloed security solutions like Palo Alto , MobileIron, and others for protecting the perimeter no longer cut it. #GenMobile has completely diluted the notion of a fixed perimeter – it doesn’t exist in a mobile world where users connect and work from anywhere. Your infrastructure needs to aware of the changes in the environment and adapt! To head off any risks, many enterprise IT organizations are resorting to extreme measures by adopting a zero-trust approach to security. Unfortunately, zero-trust treats everyone like potential adversaries. What’s needed is a policy solution that leverages user and device data to make smarter decisions based on each user’s mobility needs.
- #29 ClearPass Exchange is the glue that makes everything work seamlessly and lets you customize new workflows. Using common-language representational state transfer (REST) APIs and data feeds like syslog, Context like user ID, device, location, and authentication state can be shared with 3rd party systems. No more complex scripting languages and tedious manual configurations. Let’s look at an example: User authentication attempt with jail broken device ClearPass quarantines device via RADIUS Using RESTful API, ClearPass automatically creates trouble ticket in ServiceNow including: User ID MAC address Device type Location Email sent to helpdesk staff